Author Topic: hash master password before it's used  (Read 18334 times)

Rex

  • Guest
hash master password before it's used
« on: October 02, 2005, 03:47:12 AM »
To improve security it would be great if the master password were hashed before it was used.

The hash would be computed as soon as the master passwd was entered. Once the hash is computed the master passwd is not required and can be deleted.

This way, the master passwd can never the compromized even if the user chooses the save in memory or save on disk option (since only the hash would be saved in memory or on disk and it would futher be encrypted of course).

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
hash master password before it's used
« Reply #1 on: October 02, 2005, 04:31:33 AM »
Hi Rex,
Good idea but:

Quote
Once the hash is computed the master passwd is not required and can be deleted.

isn't accurate. Generated passwords are hashes of the master, not hashes of the master password's hash. Therefore, the master itself is required. Changing this behavior would invalidate everyone's current passwords and not add any more security: if someone obtains the hash of your master password, the risk is just as high as if they obtain the master itself.
« Last Edit: October 02, 2005, 04:33:56 AM by Eric H. Jung »

Rex

  • Guest
hash master password before it's used
« Reply #2 on: October 02, 2005, 03:12:59 PM »
That was my intent: use the hash of the master passwd to generate the other passwd's

The goal of this change is to prevent the master passwd itself (which may be used in other places too as a master passwd) from being compromised. This assumes that the security of the master passwd is more important than the security of all the generated passwords so even if the generated passwd's get compromised, the master is safe.

Yes, if would break all the current passwords though... and you would need to add a compatibility option...however, the place it is really useful is in the the save to disk option so it could be an option there.

btw: this is a great product. keep up the good work.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
hash master password before it's used
« Reply #3 on: October 05, 2005, 07:14:59 PM »
Quote
btw: this is a great product. keep up the good work.
Thank you!

Quote
so even if the generated passwd's get compromised, the master is safe.
That's not an issue today--anyone can get your generated passwords and not be able to determine your master.

But I understand your request. It's purpose is that it would secure the master password beyond the current encryption scheme if the user chooses to save it to disk.

It is a very good idea; one which I wish had been suggested in the early days of PasswordMaker because implementing it would cause the compatibility issue we discussed.

However, I think the compatibility problem can be minimized simply by adding a new item to the drop-down list under the master password textbox:
  • Do not store master password
  • Store master password in memory (encrypted)
  • Store master password on disk & in memory (encrypted)
  • new! Store master password on disk & in memory (hashed)
What do you think?

Tyrantmizar: can you add this to the FRL? Option to store MPW's hash to disk/memory

Guest

  • Guest
hash master password before it's used
« Reply #4 on: October 16, 2005, 11:17:30 AM »
"Eric" & "Romeo",

Yes I'm Back!!  As a suggestion for the HELP Manual, "When you convert your MasterPassword over to the Hashed form and access to your areas of usage the passwords can also be changed over to use the new Hashed version of the MasterPassword."  Maybe even a new field be added to the 'Advanced Options' under the Accounts tab 'MPWhash' so we can identify those that have been changed over, eventually making them all converted.  Some people will have many Passwords to change over, I have a friend that is considering PWM that has approx. 185 passwords to save.  He is looking over your software at this time.

CU L8R,
'LkonKbd'
By-Cycle

LkonKbd

  • Guest
hash master password before it's used
« Reply #5 on: October 16, 2005, 12:43:32 PM »
Greetings again,

After thinking about that added field suggested in my previous message.  That field should not be an option, it should be filled by the system if the MPW is HASHED before used.  The Option should be, "if you decide to HASH the MPW, if chosen that added field would have a 'check mark' or an 'X' to indicate the use of hashing."

Just a thought,

CU L8R,
Bye-cycle,
« Last Edit: October 16, 2005, 12:48:17 PM by LkonKbd »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: hash master password before it's used
« Reply #6 on: August 08, 2007, 04:44:06 PM »
Duplicate of this request.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: hash master password before it's used
« Reply #7 on: August 28, 2007, 04:18:16 PM »
Ok, this was actually a duplicate of this one also: Option to store MPW's hash to disk/memory - so marking as such, and migrating votes...

PasswordMaker Forums

Re: hash master password before it's used
« Reply #7 on: August 28, 2007, 04:18:16 PM »